A separate concern I have is that Web sites running ReCaptcha often require leaking privacy-invasive information to Google, in the course of using the site.
Not only does Google presumably usually know exactly who you are when you visit that site, but even if you normally block other Google hidden Web trackers, you can't block the ReCaptcha tracker, so in some cases Google can have a very good idea of what you do on the site.
So, while this browser extension might relieve some of the visible annoyance, it doesn't relieve the more insidious problem.
Users are punished if Google is unaware of them. I built an iOS app for a major brand but the web view would load with no cookies in a sandbox, and we realized after roll out that all users were needing to solve 10+ hard CAPTCHA challenges to be let through, as Google was unfamiliar with the users. You’ll get a similar experience loading over a VPN. We removed it.
It’s easy to why device attestation is so alluring to these companies. Anonymity and bots look alike.
i didnt even think of that but makes sense. valuable pov.
either way im sure most people are just annoyed with the gate code then they are with the tracking and would take the cookie everytime. and i feel like this is similar to many things especially with google.
but people just would rather just believe these companies are against them haha. kinda silly imo
Recently I attempted to buy concert tickets from a well known ticket seller. It insisted I was a bot, even after disabling my uMatrix and uBlock Origin. There was no way to prove that I was not, not even a CAPTCHA. So I decided to simply not buy any tickets.
This is just one example. I get increasingly frustrated by how shit everything is and my way of dealing with it is to disengage. It is rather sad, but I was not put on this earth to wrangle apps, QR codes, verification codes, passwords, usernames, e-mails, TOTP codes, updates, activation codes, etc.
I recommend buying tickets directly at the venue instead of ticket resellers. In most cases they will presell tickets at the door and you can almost always buy some at the door on the night of the show - unless it some superstar probably ymmv
You can have a very hard captcha that bots cannot solve, but that discriminates against the disabled. This gives you privacy and abuse-prevention, but not accessibility. You can have a very easy captcha (or possibly multiple alternative challenges), but bots can solve those easily. This gives you accessibility and privacy, but not abuse prevention. You can mostly have easy, accessible captchas, but rely on invasive tracking and fingerprinting, this gives you accessibility and abuse-prevention, but not privacy. There's no way to have all three.
As AI gets better, traditional captchas get more and more useless, and you need more and more tracking. We'll probably reach a point where there's no task that computers can easily verify but AIs can't easily perform, except being "vouched for" by a company that the website owner trusts.
Most captchas don't even come off as actual abuse protection, but rather seem to exist because someone wanted to check some box for more cargo cult "security". I can understand captchas being on login pages, ideally only after a few failed logins. But most usage seems to involve gating simple pages, often on sites that should want to be publishing their data far and wide (like ecommerce). And if your site implementation is that bloated that serving what should be static pages creates significant load, you should work on fixing that rather than adding band-aids that make your site even less usable.
Can't we have some kind of a crypto scheme, which proves to the web site I am a good boy, without revealing my identity and without enabling the website to link my current visit to my previous visits or to visits on other websites?
I hate the webassembly ones which force you out of "Safer" mode to pass on TBB. I get the bad feeling they fingerprint hardware which is why they're in webassembly.
In my experience with ubo on desktop FF, whith settings which block all that crap by default it suffices to allow the domain EnCraptcha, loudblare, and others are coming from only temporarily, meaning only for the timeframe to have that captcha functioning. Not even reloading the site, and after completing it, unchecking that (single) domain entry. Falling back to forbidden, again without reloading the site. This is usually enough for the site to work, be it in reader mode, or 'native' without JS.
If not, I usually don't care, and go elsewhere on my list of distractions :)
It's not even complicated, just one click in ubo, after looking at the usual suspects, making the stupid machines feel happy, next click to deny that happiness, making ME happy, moving on.
Just out of the corner of my eyes, muscle memory, whatever...
If this is true, why hasn't there been a huge fine against Google for it? At this point, the net of GDPR is so wide as to be useless to me. If I see one more fucking cookie disclaimer, I will snap. Is this really making us "safer" or "more secure/private"? I doubt it, but lots of small software consultancies in the EU made a bundle charging everyone to upgrade their websites to make them GDPR-compliant!
Can you elaborate on why these are violations of GDPR? I presume Google handles the data for EU customers in a manner compliant with GDPR (one would think).
> reCAPTCHA challenges remain a considerable burden on the web, delaying and often blocking our access to services and information depending on our physical and cognitive abilities, our social and cultural background, and the devices or networks we connect from.
I'm a visually impaired user, and watching captchas get more and more hostile to people like me has been... difficult.
I imagine it’s going to result in some ADA suits sooner or later, like when people went around suing business who didn’t have a ramp alternative to stairs.
I suppose because a bunch of the automated solvers use the audio as a workaround, the audio ones have become borderline (or even over the line) unlistenable.
The most recent few I've done have sounded like someone whispering "they threw their hair through the chair there" next to a propeller plane in a heavy thunderstorm.
I'm kinda surprised captcha still exists. It's pretty clear that the robots have beaten it, and when they haven't you can hire armies of humans for the price of a latte.
Not that I want trillions of bots hitting up every resource on the Internet. But I don't see how to stop it at this point except by excluding a fair number of regular people.
For big sites I agree, but for small to medium it's clear to me. The amount of shit thrown your way drops dramatically with a captcha in the way. It's enough to stop the barely interested scanners/attackers, which in my experience is a huge number of people.
Countering advanced bits is a game of economics. Sure, we know that they can solve the captchas, but they usually can’t do so for free. Eg. Typical captcha solver services are around $1/thousand solved. Depending on the unit economics of a particular bot that might be cheap or it might completely destroy the business model. I’ve definitely seen a lot of professionally operated bots where they invest a lot of effort into solving the fewest captchas possible to keep the cost down.
That captchas are completely useless is a popular myth.
That depends what problem you're trying to solve. I've seen web applications deal with someone throwing rockyou at hundreds of users on the logon form. This sort of large scale brute forcing was completely arrested by captcha, the workarounds just aren't worth it at the scale.
There's proof of work schemes to slow the requests. People point out these would drain mobile batteries to fast but don't mobile devices usually leak so much data they don't need to solve captchas as often anyway?
This argument might have flown a decade ago, but our current economic environment is largely characterized by ignoring reality - creating vibes for upper management and shareholders is what really matters. And telling them we implemented a CAPTCHA solution creates that vibe.
I've tried throwing CAPTCHA challenges at gpt-4o, and it has so far solved all of them for me, except for OpenAI's challenge (the one where you align a hand with an object).
I'm assuming they fine-tuned the model to make it less capable of solving those.
An issue with the extension mentioned here is that it's not helping against the fingerprinting... it's actually leaving even more of a fingerprint.
It's even worse if you enable Firefox's fingerprinting resistance. For example Drupal.org is essentially unusable with Firefox anti-fingerprinting (even for basic things like patch information). Ditto Zillow.
I have to use a separate "fingerprint me" profile.
I use Firefox exclusively with default anti-tracking settings plus CookieAutoDelete. But I guess I see less than 1 captcha a week.
AWS on my private, hardly used account was the most annoying one in the past because I had at least a 50% chance to get it wrong. But that does no longer come up after I enabled 2FA.
Readit News
Not only does Google presumably usually know exactly who you are when you visit that site, but even if you normally block other Google hidden Web trackers, you can't block the ReCaptcha tracker, so in some cases Google can have a very good idea of what you do on the site.
So, while this browser extension might relieve some of the visible annoyance, it doesn't relieve the more insidious problem.
It’s easy to why device attestation is so alluring to these companies. Anonymity and bots look alike.
either way im sure most people are just annoyed with the gate code then they are with the tracking and would take the cookie everytime. and i feel like this is similar to many things especially with google.
but people just would rather just believe these companies are against them haha. kinda silly imo
Of course, if you're merely embedding someone else's site then it makes a lot of sense to get captcha'ed to death.
This is just one example. I get increasingly frustrated by how shit everything is and my way of dealing with it is to disengage. It is rather sad, but I was not put on this earth to wrangle apps, QR codes, verification codes, passwords, usernames, e-mails, TOTP codes, updates, activation codes, etc.
You can have a very hard captcha that bots cannot solve, but that discriminates against the disabled. This gives you privacy and abuse-prevention, but not accessibility. You can have a very easy captcha (or possibly multiple alternative challenges), but bots can solve those easily. This gives you accessibility and privacy, but not abuse prevention. You can mostly have easy, accessible captchas, but rely on invasive tracking and fingerprinting, this gives you accessibility and abuse-prevention, but not privacy. There's no way to have all three.
As AI gets better, traditional captchas get more and more useless, and you need more and more tracking. We'll probably reach a point where there's no task that computers can easily verify but AIs can't easily perform, except being "vouched for" by a company that the website owner trusts.
The only real value in captchas isn't to stop bots, but to make it more expensive, or slower, for an adversary to abuse your service at scale.
Examples being privacy pass and private access tokens, though I haven't seen much mention of them recently.
(In the typical meaning of PoW, as opposed to human attention-work)
If not, I usually don't care, and go elsewhere on my list of distractions :) It's not even complicated, just one click in ubo, after looking at the usual suspects, making the stupid machines feel happy, next click to deny that happiness, making ME happy, moving on.
Just out of the corner of my eyes, muscle memory, whatever...
- something gets abused
- a solution is needed to stop the abuse
- the 'techies' implement recaptcha and they are not aware of the regulatory implications
- it's such a small thing that it often get's overlooked in internal audits
Google fonts from their cdn is another.
Landing page Youtube videos is another but a little bit more well known.
The user should be warned so they can decide if they want to give Google everything; how else would they know?
I installed CalcNote on a new android phone today and had to untick "legitimate uses" for 3 vendors in several places, including Google and Bytedance.
Felt like I needed a shower once I was finished setting it up with the minimal apps that I use
Dead Comment
I'm a visually impaired user, and watching captchas get more and more hostile to people like me has been... difficult.
i would've thought the audio version of the captcha can still work for such a user?
The most recent few I've done have sounded like someone whispering "they threw their hair through the chair there" next to a propeller plane in a heavy thunderstorm.
Dead Comment
Not that I want trillions of bots hitting up every resource on the Internet. But I don't see how to stop it at this point except by excluding a fair number of regular people.
That captchas are completely useless is a popular myth.
With it off our system is filled with spam and bots. With it in it drops to 0.
What else should we do instead?
I’ve heard this before, but where does one actually hire these humans? Mturk is the only thing that comes to mind.
I suspect these businesses do a first pass of ML in case the captcha is easy, before sending it to a human to be solved manually.
Dead Comment
Bots cost nothing to google. Heck google main business IS a huge freaking bot!
this project is awesome. but it will only make google go harder against accessibility in the long run.
I'm assuming they fine-tuned the model to make it less capable of solving those.
An issue with the extension mentioned here is that it's not helping against the fingerprinting... it's actually leaving even more of a fingerprint.
I have to use a separate "fingerprint me" profile.
AWS on my private, hardly used account was the most annoying one in the past because I had at least a 50% chance to get it wrong. But that does no longer come up after I enabled 2FA.